Thycotic’s Cyber Security Publication

Create an Approval Workflow for Sensitive Secrets

October 15th, 2013

It’s important to understand how to properly create a workflow in Secret Server for secrets of a sensitive nature. For example, let’s say you have a Secret for the admin account on your production web server. You want to give all your web server administrators access to the Secret, but you only want them to log in for a specific reason, such as during an emergency or to perform maintenance or install new software.

To address this issue, Secret Server has a security feature called Require Approval for Access. This setting lets you grant a user access to a Secret by making the user enter a reason they would like to access the Secret. It can be used for any Secret within Secret Server. For our example today, your web server admins would enter the reason why they want to access the web server.

Secret Access Request | Secret Server

After the web admin explains why he wants access to the production web server, an email is sent to one or more people to approve. You can customize who receives the email and is allowed to approve the request – every Secret has a customizable approval list.

Next, those approving the request will receive an email notifying them of the request. Inside Secret Server, they can read the request, deny or approve it, and specify how long that user may have access to the Secret before they have to submit another request for access.

Request Access for Workflow | Secret Server

This entire request and approval process is logged in the audit trail of Secret Server, so if there are ever questions later, it can be double checked.